Check if user is enrolled in MFA

Hello there!
I was wondering if there was a way to check if the user is enrolled in MFA - ie. entered their phone number - inside of a rule? From what I can tell the user object doesn’t pass around any information other than multifactor: ['guardian'], even though in the raw json I can see a guardian_authenticators attribute.

2 Likes

For as far as I’m aware you can’t check if a user is enrolled. What you can do, is add a bit of data to app_metadata to signal to the rule MFA should be required for that user (something like: ”mfa_enabled”: true). Then deciding to do MFA is as simple as an if statement to check for that particular value.

Yeah we do something like that in a rule but that gets set to trigger the MFA rule, what we want is to know when the user actually enrolls their phone number through MFA - since they user can trigger MFA but never actually enroll with their phone number number

Haven’t been able to test this yet, but it appears you can set selfServiceEnrollment to false to sort of achieve the same thing: only if a user actually enrolled, the widget will display. Again, haven’t been able to test it.

I am in the exact same boat. I am sending the user an enrollment email but I don’t want to require multifactor until they have actually enabled it. Was a solution to this ever found? What is the recommended way of solving this problem?

For my case, we are using the enabled_mfa flag approach. In a rule, we check if that flag exists and if the mode is LogIn, if that’s true we set the flag and in the mfa rule that sets up guardian it looks for that flag to be true in order to kick in

1 Like

Thanks a lot for sharing your approach with the rest of the community @anja!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.